What is postMessage

The window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it.
Normally, scripts on different pages are allowed to access each other if and only if the pages they originate from share the same protocol, port number, and host (also known as the "same-origin policy"). window.postMessage() provides a controlled mechanism to securely circumvent this restriction (if used properly).
Broadly, one window may obtain a reference to another (e.g., via targetWindow = window.opener), and then dispatch a MessageEvent on it with targetWindow.postMessage(). The receiving window is then free to handle this event as needed. The arguments passed to window.postMessage() (i.e., the “message”) are exposed to the receiving window through the event object.https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

XSS

It's mainly shown in the AppSec video above, and as I mentioned in my previous article, XSS is the best and most influential. This code is probably weak. The code below is the code that passes the data received by b.data.evalCall to the factor value of the eval, where postMessage can be used to trigger XSS by passing the attack phrase like the second code on the page you call.

Sensitive data leakage

With postMessage, you can also steal sensitive data. Like JSON Hijack or several data deodorization techniques, postMessage requires verification of the requested window (Parent) when sending data. If an attacker calls a vulnerable page into Child on their site and asks for the ability to collect information through postMessage, it's easy to get your information.

How to use postMessage-tracker?

Chrome(firefox) => Setting => Extension => Load from file or dirAlthough the description says it was made for Chrome, it is actually available on the cross platform because the Chromium engine-based browser as well as the firebox use the same JavaScript extension.When you access the page where postMessage is inserted with the extension installed, the extension shows the relevant code. You can look at this, see if it leads to XSS or other vulnerabilities, and then switch to vulnerabilities.
이후 Chrome(firefox) => Setting => Extension => Load from file or dir 순서로 진입하셔서 확장 기능을 로드해주시면 됩니다. 브라우저별로 상이하니 이 부분은 사용하시는 브라우저에 따라서 찾아보시면 될 것 같습니다.